A new flaw discovered in Apple iOS Camera Application could be exploited in order to redirect consumers to malicious sites without their permission or knowledge. The detected bug impacts the latest Apple’s iOS 11 mobile operating system and the vulnerability resides in the built-in QR code reader in iPhones, iPads, and iPod touch devices.[1]

By exploiting this vulnerability in iOS 11 devices, attackers can redirect customers to phishing or other malicious websites.

Apple has introduced iOS 11 together with a new function that enables users ability to read QR codes using their iOS device’s native camera application without any third-party QR reader app. This might seem very convenient for most of the users because they do not need a third-party QR code reader. All you have to do is launch the Camera application on your iPhone or iPad and point it at a QR code. If the QR code includes URL address, the application will notify you and display the link addresses. If users tap on the link, the page will be opened in Safari browser.

However, according to Roman Mueller, a security researcher at Infosec, users might not be visiting the same URL site that was displayed.[2]

The URL parser which is built-in QR code reader in iOS 11 camera application can go wrong in detecting the hostname in the URL address. This failure enables hackers to exploit the vulnerability and manipulate the displayed URL, that lead to redirecting users to malicious and dangerous websites instead of the ones in QR code.

Roman Mueller also has demonstrated how the vulnerability could be exploited.

The QR code above contains the following URL address :

https://xxx\\@facebook.com:443@infosec.rm-it.de/

If users scan it with the iOS camera application it will display the following :

The researcher has tested the bug with his iPhone X that runs iOS 11.2.6 and indicated that it has worked.

QR or Quick Response code provides users a quick and convenient way to share and receive information via the device’s camera application or a third-party QR code reader application. However, today QR code is used for opening bank websites or making payments that make the security issues and vulnerabilities in QR code readers more dangerous, as these bugs can end up redirecting users into phishing or other malicious websites.

Even though the flaw was reported to Apple on December 23, 2017, the company has not fixed the issue as of today.

About the author

Gabriel E. Hall
- Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at Reviewedbypro.com.